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angr, a binary analysis framework 


angr 


»> import angr 

»> proj = angr . Project ( 1 ./fauxware-amd64 1 ) 

»> cfg = proj .analyses. CFG() ; cfg . functionmanager. functions 

{4195600L: function sub_400510 (Ox400510)>, 

4195616L : <Function sub_400520 (0x400520)>, 

4195632L: <Function sub_4O0530 (0x4OO53O)>, 

4195648L : <Function sub_4O054O (Ox4O054O)>, 

4195664L : <Function sub_400550 (0x400550)>, 

4195680L : <Function sub_400560 (0x400560)>, 

4195696L: <Function sub_4O0570 (0x4O0570)>, 

4195712L : <Function _start (0x400580)>, 

4195940L: <Function authenticate (0x400664)>, 

4196077L: <Function accepted (Ox4006ed)>, 

4196093L: <Function rejected (Ox4006fd)>, 

4196125L : <Function main (0x40071d)>} 

»> ex = proj .surveyors. Explorer(find=0x4006ed) . run() 

»> ex.found[0] . state. posix.dumps(O) 

' \x00\x00\x00\x00\x00\x00\x00\x00\x00S0SNEAKY\x00 1 


What is angr? 

angr is a framework for analyzing binaries. It focuses on both static and dynamic symbolic 
("concolic") analysis, making it applicable to a variety of tasks. 


What's it made of? 

angr is made up of several subprojects, all of which are open-source! 

• an executable and library loader, CLE 

• a library describing various architectures, archinfo 

• a Python wrapper around the binary code lifter VEX, PvVEX 

• a VEX simulation engine, SimuVEX 

• a data backend to abstract away differences between static and symbolic domains, Clariov 

• the full-program analysis suite itself, anar 

• a GUI for some features of anar. anar-manaaement 


How has it been used academically? 

If you have used angr or its sub-components in research, please cite the paper that it was 
developed for: 

@article{shoshitaishvili2015firmalice, 
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title={Firmalice - Automatic Detection of Authentication Bypass Vulrn 
in Binary Firmware}, 

author={Shoshitaishvili, Yan and Wang, Ruoyu and Hauser, Christophe 
and Kruegel, Christopher and Vigna, Giovanni}, 
booktitle={NDSS} , 
year={2015} 


You can also read the paper here ! 


And non-academically? 

angr was one of the underpinnings of Shellphish's Cyber Reasoning System for the DARPA 
Cyber Grand Challenge, enabling them to qualify for the CGC finals! Shellphish has also 
used angr in many CTFs! 


Whom can I contact? 

If you have questions with a subcomponent of angr, please open an issue on github (or send 
us a pull request!). If you have questions or comments, drop us a line at the mailing list at 
angr AT lists.cs.ucsb.edu or hang out on the IRC channel (#angr on freenode). 


Who works on angr? 

angr is worked on by several researchers in the Computer Security Lab at UC Santa 
Barbara . Major contributors (arbirtrarily, 1000+ lines of code!) include: 

• Yan Shoshitaishvili 

• Ruoyu (Fish) Wang 

• Andrew Dutcher 

• Christophe Hauser 

• John Grosen 

• Chris Sails 

• Nick Stephens 

angr owes its existence to research sponsored by DARPA under agreement number 
N66001-13-2-4039 ! 


How do I learn? 

There are a few resources you can use to help you get up to speed! 

• The documentation repository , including ready-to-run examples . 

• The presentations from angr's debut at DEFCON 23 (Video 1 ) and Blackhat 2015 (Video 1 ) . 

• Presentations discussing Shellphish's use of angr in the DARPA Cyber Grand Challenge at 
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HITCQN ENT 2015 . HITCQN CMT 2015 . and 32C3 . 


How can I help? 

There are many ways to participate! Here are some ideas: 

• Report bugs. We know they exist, but it's not always clear where they are! 

• Write documentation. An analysis system like angr can be a bit overwhelming. If you're 
using it, and could send a pull request for our documentation repo , we would be eternally 
grateful! This includes examples -- if you use angr for something cool, send us a pull 
request with an example! 

• Implement more environment support. We use the concept of "function summaries" in angr 
to model the environment of operating systems (i.e., the effects of their system calls) and 
library functions. Extending this would be greatly helpful in increasing angr's utility. These 
function summaries can be found here . 


The angr workshop at 32c3 has been scheduled for a second day! If you would like to 
learn about the basics of using angr, please attend this event in room 13, Wednesday 

at 14:30. 
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